SCS-C01 (Page 9)

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot.It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.Which of the following troubleshooting steps should be performed?Read More →

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK.The company requires that keys be rotated automatically every year.How should the bucket be configured?Read More →

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.Which of the following options should the Security Engineer use?Read More →

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket.The user and the S3 bucket are in the same AWS account.The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account.The S3 bucket has no bucket policy defined.The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key.The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?Read More →

A security team has received an alert from Amazon GuardDuty that AWS CloudTrail logging has been disabled.The security team’s account has AWS Config, Amazon Inspector, Amazon Detective, and AWS Security Hub enabled.The security team wants to identify who disabled CloudTrail and what actions were performed while CloudTrail was disabled.What should the security team do to obtain this information?Read More →

A security engineer is setting up a new AWS account.The engineer has been asked to continuously monitor the company’s AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks.How can the security engineer accomplish this using AWS services?Read More →

Users report intermittent availability of a web application hosted on AWS.Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier.Which of the following techniques will improve the availability of the application? (Choose two.)Read More →

A company uses AWS Key Management Service (AWS KMS).During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails.The company discovers that a customer managed key has become unusable because the key material for the key was deleted.The company needs the data that is on the EBS volume.A security engineer must recommend a solution to decrypt the EBS volume’s encrypted data key.The solution must also attach the volume to the EC2 instance.Which solution will meet these requirements?Read More →

A company uses AWS Signer with all of the company’s AWS Lambda functions.A developer recently stopped working for the company.The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions.Which solution will meet this requirement?Read More →

A company’s AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket.The security team controls the company’s AWS account.The security team must prevent unauthorized access and tampering of the CloudTrail logs.Which combination of steps should the security team take? (Choose three.)Read More →